To disclose or not to disclose?

Disclosing security problems is a good idea, says Bill Thompson, except when it isn't.

In the last few weeks we've seen two very different approaches to the full disclosure of security flaws in large-scale computer systems.

Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London's Oyster card will soon be available to anyone with a laptop computer and a desire to break the law.

These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being unresolved.

Given that there are inevitably bugs, flaws and unexpected interactions in complex systems, how much information about them should be made public by researchers when the details could be helpful to criminals or malicious hackers?

Keeping quiet

When Dan Kaminsky discovered a major security flaw in DNS he kept it quiet.

DNS is the service that translates domain names like 'www.bbc.co.uk' into internet protocol addresses like 212.58.253.67 that can be used by computers, and the flaw he found affected almost every internet-connected computer because it could be used to fool our computers into believing IP addresses provided by malicious DNS servers.

As a result someone trying to visit the BBC website, their bank or a webmail account could be sent to a fake site without knowing it.

Instead of publicising what he had found Kaminsky told vendors such as Microsoft and Sun and for the past few months they have been working on a co-ordinated solution that involves updates to much of the core software that makes the internet work.

The idea was that the problem would have been resolved before Kaminsky published details at the upcoming Black Hat security conference.

Unfortunately the plan has gone awry in the last few days after another researcher, Halvar Flake, kicked off a discussion about the flaw that prompted Matasano Security to post full details on their own blog. That post has been taken down, but is of course around in the Google cache and the details have circulated widely.

As a result Kaminsky and others are advising any systems administrator who has not yet applied the update to their servers to patch them "Today. Now. Yes, stay late." It's sound advice (and if you're reading this but have unpatched DNS servers then stop now and go and fix your systems).

Shouting 'bug' on a crowded internet is just as dangerous as shouting 'fire' in a crowded theatre

Bill Thompson

Publishing details

Kaminsky's caution would seem to contrast starkly with the decision by Professor Bart Jacobs to publish details of the security vulnerabilities his research team has found in one of the world's most popular contactless smartcards, the MIFARE Classic, which is used in London's Oyster card, because they remain unfixed.

After his team from Holland's Radboud University announced that they planned to publish details of how to copy cards and change their contents at will the manufacturer, NXP Semiconductors, went to court and were granted a preliminary injunction forbidding publication.

Now a full hearing has overturned the injunction, so the papers will be released as planned, and we will soon know how to add extra money to the balance on our Oyster cards because of the poor security of the system.

However this is not a case of a maverick academic simply publishing without considering the economic or social impact. Jacobs told NXP about his findings in 2007, and even informed the Dutch government so that they could take steps to secure government buildings that used smartcards to control access, while the papers concerned won't be published until October this year.

But instead of using the time to fix the problems NXP has tried to stop publication, arguing that necessary changes will take 'up to a number of years', and ignoring the fact that the necessary skills are probably already in the hands of criminal groups.

The DNS vendors did not head off to court to try to stop Kaminsky speaking at Black Hat, perhaps because DNS is not owned by anyone while NXP Semiconductors own MIFARE and make a lot of money out of it.

Who is right?

DNS is a community good, and we all benefit from its safe and reliable operation, while smartcards generally serve the interests of private companies or those wanting to manage our lives in various ways.

And because NXP was trying to protect its commercial interests rather than those of the wider community, it failed to get the injunction it wanted.

The judge even noted that 'Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings', a remarkably sensible thing for a judge to say in a case about computer security.

So who is right? Dan Kaminsky for keeping things quiet, or Bart Jacobs for pushing ahead with publication?

I think both are.

We can have general principles and decide to override them if circumstances allow, and indeed we do this in many areas of our daily lives so should not expect the politics of technology to be different.

Full disclosure is, in most situations and for most problems, the best way to ensure that those at risk can protect themselves and those responsible for flawed software have an incentive to fix it.

But sometimes, as with Dan Kaminsky's discovery about DNS, a more cautious approach is called for. Kaminsky is not planning to keep his findings secret, but the public interest is best served by allowing those who provide DNS servers the time they need to ensure a smooth transition to updated versions instead of causing a panic.

NXP went to court to protect themselves from the painful reality that their chip is flawed, instead of doing all they could to resolve the problem, and as a result many of their users find themselves having to review their security procedures.

The similarities to arguments about free expression are not mere coincidence, of course.

Shouting 'bug' on a crowded internet is just as dangerous as shouting 'fire' in a crowded theatre, even in societies where free speech is valued and protected by law, and we should not assume that full disclosure is always the right way forward.

Bill Thompson is an independent journalist and regular commentator on the BBC World Service programme Digital Planet.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.